diff --git a/tests/Feature_v2/Settings/UpdateSettingsTest.php b/tests/Feature_v2/Settings/UpdateSettingsTest.php
index 7de9f2b8a54..efda32a0294 100644
--- a/tests/Feature_v2/Settings/UpdateSettingsTest.php
+++ b/tests/Feature_v2/Settings/UpdateSettingsTest.php
@@ -87,4 +87,64 @@ public function testUpdateSettingsAdmin(): void
 		]);
 		$this->assertCreated($response);
 	}
+
+	public function testUpdateCssForbidden(): void
+	{
+		$response = $this->postJson('Settings::setCSS', []);
+		$this->assertUnprocessable($response);
+
+		$response = $this->postJson('Settings::setCSS', [
+			'css' => 'body { background-color: red; }',
+		]);
+		$this->assertUnauthorized($response);
+
+		$response = $this->actingAs($this->userMayUpload1)->postJson('Settings::setCSS', []);
+		$this->assertUnprocessable($response);
+
+		$response = $this->actingAs($this->userMayUpload1)->postJson('Settings::setCSS', [
+			'css' => 'body { background-color: red; }',
+		]);
+		$this->assertForbidden($response);
+	}
+
+	public function testUpdateCssAdmin(): void
+	{
+		$response = $this->actingAs($this->admin)->postJson('Settings::setCSS', []);
+		$this->assertUnprocessable($response);
+
+		$response = $this->actingAs($this->admin)->postJson('Settings::setCSS', [
+			'css' => 'body { background-color: red; }',
+		]);
+		$this->assertNoContent($response);
+	}
+
+	public function testupdateJsForbiddne(): void
+	{
+		$response = $this->postJson('Settings::setJS', []);
+		$this->assertUnprocessable($response);
+
+		$response = $this->postJson('Settings::setJS', [
+			'js' => 'console.log("Hello World!");',
+		]);
+		$this->assertUnauthorized($response);
+
+		$response = $this->actingAs($this->userMayUpload1)->postJson('Settings::setJS', []);
+		$this->assertUnprocessable($response);
+
+		$response = $this->actingAs($this->userMayUpload1)->postJson('Settings::setJS', [
+			'js' => 'console.log("Hello World!");',
+		]);
+		$this->assertForbidden($response);
+	}
+
+	public function testUpdateJsAdmin(): void
+	{
+		$response = $this->actingAs($this->admin)->postJson('Settings::setJS', []);
+		$this->assertUnprocessable($response);
+
+		$response = $this->actingAs($this->admin)->postJson('Settings::setJS', [
+			'js' => 'console.log("Hello World!");',
+		]);
+		$this->assertNoContent($response);
+	}
 }
\ No newline at end of file